Access Denied--Implementing NTLMv2 on Win2K, NT, and Win9x machines

Having read about the weaknesses in the NT LAN Manager (NTLM) authentication protocol in your Windows 2000 Magazine article "Protect Your Passwords,", InstantDoc ID 3844, I want to upgrade to NTLMv2. I have a mix of Windows 2000, Windows NT, and Windows 9x computers. To prepare for the upgrade, I know that I need to install the most recent service pack on the NT computers, but where can I get the Active Directory (AD) client for Win9x computers that the article mentions?

You're right that whenever you use Win2K computers in an NT domain (or any NT or Win9x computers) to log on over the network, your logon uses the NTLM authentication protocol. NTLM is vulnerable to eavesdropping and subsequent attack with tools such as @stake's L0phtCrack. You can defeat such attacks by implementing NTLMv2. On Win2K, simply set LAN Manager Authentication Level under \computer configuration\windows settings\security settings\local policies\security options to Send NTLMv2 response only. On NT, you'll need Service Pack 4 (SP4) or later. Create a registry value LMCompatibilityLevel under HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\ Lsa, and set the value to 3. On Win9x, you need to make the same registry change and install the Directory Services client, which you can find on your Win2K CD-ROM under Clients Win9x. You must install this client even if you don't use AD.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.